snort-0.99rc5-lib is a set of example Snort rules. It's a short one, about 43 rules total, but it gives a good overview of the basic rule types and how to use the pattern matcher properly. This version of snort-lib includes a new buffer overflow (named) and some other stuff.
547b794a5c635256ff67842936934e3287e9799174e0edaa0d5aa7e11921e4bd# This file posits that you're trying to defend the 10.1.1.0 class C network
# we're trying to log data to "sensitive" ports, plus alert on truly suspicious activity
# some of these things may not be suspicious in your network environment, but we run a
# fairly tight network (access wise) where I work, so most every alert rule for specific
# network rules shown here applies in my case
# if you need help writing a specific rule, feel free to drop me a line!
# -Marty (roesch@clark.net)
##################################
# alert on interesting packets
##################################
# look for stealth port scans/sweeps
alert tcp any any -> 10.1.1.0/24 any <SYN FIN Scan> {SF}
alert tcp any any -> 10.1.1.0/24 any <FIN Scan> {F}
alert tcp any any -> 10.1.1.0/24 any <NULL Scan> {}
alert tcp any any -> 10.1.1.0/24 any <XMAS Scan> {FPU}
# find backdoor attempts
alert udp any any -> 10.1.1.0/24 31337 <Back Orifice>
alert tcp any any -> 10.1.1.0/24 12345 <Netbus>
alert tcp any any -> 10.1.1.0/24 12346 <Netbus>
alert tcp any any -> 10.1.1.0/24 10752 <Linux mountd backdoor>
alert udp any any -> 10.1.1.0/24 2140 <Deep Throat>
# NT SNMP user list
alert udp any any -> 10.1.1.0/24 161 <NT user list> [|2b 06 01 04 01 4d 01 02 19|]
# IMAP buffer overflow
alert tcp any any -> 10.1.1.0/24 143 <IMAP buffer overflow!> [|E8 C0FF FFFF|/bin/sh]
alert tcp any any -> 10.1.1.0/24 53 <named buffer overflow!> [|CD80 E8D7 FFFF FF|/bin/sh]
# alert on incoming phf attacks
alert tcp any any -> 10.1.1.0/24 80 [/cgi-bin/phf] <PHF Attack!>
# netbios crap
alert udp any any -> 10.1.1.0/24 137 <SMB Name Wildcard> [CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|]
alert tcp any any -> 10.1.1.0/24 139 <Samba client access> [|00|Unix|00|Samba]
alert tcp any any -> 10.1.1.0/24 139 <SMB CD...> [\...|00 00 00|]
alert tcp any any -> 10.1.1.0/24 139 <SMB CD..> [\..|2f 00 00 00|]
alert tcp any any -> 10.1.1.0/24 139 <SMB C$ access> [\C$|00 41 3a 00|]
alert tcp any any -> 10.1.1.0/24 139 <SMB D$ access> [\D$|00 41 3a 00|]
alert tcp any any -> 10.1.1.0/24 139 <SMB ADMIN$ access> [\ADMIN$|00 41 3a 00|]
# other interesting ports....
alert udp any any -> 10.1.1.0/24 161 <SNMP traffic>
alert tcp any any -> 10.1.1.0/24 143 <IMAP traffic>
alert tcp any any -> 10.1.1.0/24 512 <REXEC traffic>
alert tcp any any -> 10.1.1.0/24 513 <RSH traffic>
alert tcp any any -> 10.1.1.0/24 514 <RLOGIN traffic>
alert udp any any -> 10.1.1.0/24 194 <IRC traffic>
alert tcp any any -> 10.1.1.0/24 194 <IRC traffic>
alert tcp any any -> 10.1.1.0/24 111 <Portmap traffic>
alert udp any any -> 10.1.1.0/24 111 <Portmap traffic>
alert tcp any any -> 10.1.1.0/24 32771 <Sun portmap traffic>
alert udp any any -> 10.1.1.0/24 32771 <Sun portmap traffic>
# token DoS detector
alert udp 10.1.1.0/24 7 -> 10.1.1.0/24 19 <UDP bomb>
alert udp 10.1.1.0/24 19 -> 10.1.1.0/24 7 <UDP bomb>
# alert on stuff going where it probably shouldn't be
alert tcp any 53 -> 10.1.1.0/24 :1024 <Source Port traffic>
alert tcp any 25 -> 10.1.1.0/24 :1024 <Source Port traffic>
alert tcp any :1024 -> 10.1.1.0/24 :1024 <Source Port traffic>
#log all ICMP traffic
log icmp any any -> any any
#log interesting TCP/UDP traffic
#all tcp traffic below port 1024
log tcp any any -> 10.1.1.0/24 :1024
#grab xwindows traffic
log tcp any any -> 10.1.1.0/24 6000:6010
#high port RPC stuff too
log tcp any any -> 10.1.1.0/24 32000:33000
#do the same for UDP
log udp any any -> 10.1.1.0/24 :2000
log udp any any -> 10.1.1.0/24 32000:33000
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed